Header checking disabled¶
ID: cs/web/disabled-header-checking Kind: problem Severity: warning Precision: high Tags: - security - external/cwe/cwe-113 Query suites: - csharp-code-scanning.qls - csharp-security-extended.qls - csharp-security-and-quality.qls
This rule finds places in the code where header checking is disabled. When header checking is enabled, which is the default, the
\n characters found in a response header are encoded to
%0a. This defeats header-injection attacks by making the injected material part of the same header line. If you disable header checking, you open potential attack vectors against your client code.
Do not disable header checking.